Lecture_4

advertisement
Sigurnost računala i podataka
Mario Čagalj
Sveučilište u Splitu
2013/2014.
User Authentication
Computer Security: Principles and Practice
by William Stallings and Lawrie Brown
Produced by Mario Čagalj
User Authentication: Introduction
 Protective measures (e.g., access control, accountability) make
sense only if we can identify and authenticate users
 Authentication validates user identity
 Often as prerequisite to allowing access to the system resources
 Authentication process consists of two steps
 Identification step
 Presenting an identifier to the system (e.g., userID, username)
 Verification (authentication) step
 Presenting or generating authentication information that binds the entity
presenting the identifier and the identifier itself
 Distinct from message authentication
3
Means of Authentication
 There are four general means of authenticating a user’s
identity
 Something the user knows
 Password, personal idnetification number (PIN)
 Something the user possesses
 Smart cards, physical keys, tokens
 Something the user is (static biometrics)
 Recognition by fingerprint, face, retina, iris
 Something the user does (dynamic biometrics)
 Recognition by voice pattern, hadwriting style, typing rhythm
 Can be used in combination
 All have advantages and issues
4
Password-Based Authentication
Password Authentication
 Widely used user authentication method
 User provides name/login (username) and password
 System compares password with that saved for specified login
 Authenticates ID of user logging and provides security by
 Determining that the user ID is authorized to access system
 Determines the user’s privileges (e.g., admin or not)
 Is used in discretionary access control (e.g., a user owning a file
may enable another entity to access this file – next lecture)
6
Password Vulnerabilities
 Offline dictionary attack
 Attacker obtains system password file (with password hashes)
and compares password hashes against hashes of passwords
from the dictionary
 Specific account attack
 Submit candidate passwords until the correct password
discovered or until the account is locked (e.g., after 3 failed
attempts)
 Popular password attack
 Try popular passwords against a range of user IDs
 Password guessing against single user
 Make educated guesses based on knowledge about the user
(age, gender, marital status, ...)
7
Password Vulnerabilities
 Workstation hijacking
 Steal unlocked workstation and use e.g. Cain&Abel to recover
the password
 Exploiting user mistakes
 Passwords written down, shared, social engineering
 Exploiting multiple password use
 Password reuse problem (due to cognitive overload)
 Electronic monitoring
 Intercept passwords communicated across a network (simple
and naive encryption does not help here)
8
Password Vulnerabilities: Examples
Watch this video http://vimeo.com/2007855
(Compromising EM Emanations of Keyboards)
Oakland - [Backes2008]
9
Storing Passwords
 Passwords are never stored in clear text
 The risk of theft would be great
 Instead, a hash of a password is stored
 Recall, hashing is a one-way function which gives a unique and
unreversable result (hash value, message digest)
 If a user provedes a correct password, its hash must be
identical to the hash stored (previously) in the password file
Cleartext password
Password file
One-way function
(e.g., hash or encryption)
User ID
“Hashed” password
 Password-based authentication in Unix and Windows
10
Passwords in Unix
Unix Password Scheme
 To load (create) a new password into the system
 The user selects or is assigned a password
 This password is combined with a fixed-length salt value
Salt
Password file
Password
Slow hash
function
User ID
Salt
Hash value
Bob
7a
ri79KNd7v6.Sk
Loading a new
password
Load
User ID
Password file
Select
User ID
Salt
Hash value
Bob
7a
ri79KNd7v6.Sk
Salt
Password
Slow hash
function
Verifying a
password
Compare
Hash value
12
Unix Password Scheme: Salt Values
 Offline dictionary attack
 Assume: the goal is to guess a single pwd & salt not used
 Attacker obtains a copy of the password file
 Attacker hashes likely candidate passwords and compare
obtained hash values with the ones in the password file
 If any of the guesses matches one of the hashes in the file, the
attacker has found a password that is in the file
 The salt value serves three purposes
 Prevents duplicate passwords to be visible in password file
 Increases difficulty of offline dictionary attacks (k bits salt
increases guessing load by a factor of ~2k)
 Not possible to find out whether a user with passwords on two
or more systems has used the same passwords on all of them
13
Unix Hashed Pwd Implementation
 The original scheme (crypt(3) routine)
 8 character password form 56-bit secret key
 12-bit salt perturbs DES encryption algorithm in one of 4096
different ways
 0 value repeatedly encrypted 25 times (slows down guesses)
 Output translated to 11 character sequence
Salt
12 bits (2 characters)
am
Zeros
64 bits
DES
hiOY1vb4nIE
Hash
64 bits (11 chars)
test
56 bits (up to 8 characters,
only 7 bits of each char is taken)
pwd
salt
crypt(3) hash
test
am
hiOY1vb4nIE
test
ri
j.uEL2QOTHU
test
7a
FB/N4.DacNU
14
Unix Password Hashes
 crypt(3)-based implementation is inadequate today
 8 chars (i.e., 56 bits) are are simply too few
 Dictionary attack investigated using the Blue Horizon supercomputer
 Precomputed and stored 207 billion hashes (~1.5 TB) for over 50 milion passwords in about
80 min (207 x 109 / 50 x 106 approx. 4096 – #salt values)
 Time-memory tradeoffs
 Effective when salt is not used (Oechslin’03 showed that using 1.4GB of
data – rainbow tables - Windows LM hashes broken in <14 sec)
 Better hashes for Unix
 Modern Unix systems based on MD5 hashes instead of DES hashes
 Advantages:
 Passwords can have more than 8 characters
 Produces 128 bit hash values
 Longer salt values (48 bits)
 “Very” slow (1000 inner loops)
15
Password File Access Control
 Old method: names and hashes are stored in /etc/passwd
 Free for anybody to read
 Opens up for easy offline dictionary attack
 Safer method: the hashes stored in separate file /etc/shadow
 Only root can access to this file
root:x:0:0:root:/root:/bin/bash
mcagalj:x:1001:1001:,,,:/home/mcagalj:/bin/bash
root:aQtsvOTXjNRbY:10919
mcagalj:HYy0b0xFEWIZw:10919:
 Theft of Unix Hashes
 Goal: gain access to /etc/shadow
 Boot the machine on a CD
 Obtain root privileges (e.g., by using an exploit)
16
Logon and Authentication in Windows
Logon Authentication Scenarios
 There are four types of logon processes in Windows 2000,
Windows Server 2003/08 and Windows XP Professional
 Interactive logon
 Logs on to a local computer to which you have direct physical access
(includes terminal services and remote desktop logon processes)
 Network logon
 Controls access to a system running different Windows operating
systems across the network from the computer where you logged on
 Service
 Authenticates and autheorizes different Windows services
 Batch
 Reserved for batch jobs (e.g., big print spools, bank account
reconciliation); rarely used
18
Interactive Logon: Windows Server 2003
 Interactive logon begin with the secure attention sequence
CTRL+ALT+DEL
 GINA DLL generates logon dialog box
 User logs on using either local or domain account
 User enters user name and password (alternatively,
a smart card- requires external device- and PIN)
 Local logon
 Authorizes access to local computer and resources
 Security Account Manager (SAM) DB holds account info (e.g., pwd hashes)
 Domain logon
 Give access to domain resources; account info in Active Directory domain
 Single Sign On (SSO) – one time logon
 Cached Credentials – once successfully authenticated, allows access to
resources even when the domain controller not avaliable
19
Interactive Local and Domain Logon
 Local logon
LSA: Local Security Authority
 Domain logon
20
Local Security Authority (LSA)
 LSA is a Windows security subsystem that authenticates
and logs users on to the local computer
 Manages local security policy
 E.g., which domains are trusted, who can have access to the system, who
is assigned what rights, what security auditing is performed
 Provides interactive user authentication services
 Generates access tokens
 Manages the audit policy
21
LSA Architecture
 DLLs responsible for individual authentication mechanisms
 NTLM (Msv1_0.dll)
 Digest (Wdigest.dll)
 Kerberos (Kerberos.dll)
 TSL/SSL (Schannel.dll)
22
Primary Authentication Protocols in
WinNT4.0, WinXP Pro, Win2K, WinSrv03
 Microsoft Windows supports various methods to authenticate a
user (or a computer)
 Kerberos protocol is the core
 Since the introduction of Windows 2000
 Enables mutual authentication between client (user,computer,service) and server
 Secure and scalable
 LSA acts as a proxy between a client and Kerberos Key Distribution Service (KDS)
that issues service granting tickets to the client
 NTLM protocol (3 methods of challenge/response authentication)
 Default in WindowsNT 4.0, also included in WinSrv03 for compatibility with
versions earlier than Windows 2000
 LAN Manager (LM)
 NTLM version 1
 NTLM version 2
 In this lecture we focus on (in)security of NTLM protocol
23
NTLM vs Kerberos Login Process
 NTLM:
 Kerberos:
24
NTLM: LM Hash (e.g., in WinXP)
 LM authentication based on weak cryptographic procedures
 User ASCII password converted to uppercase
 Password null-padded or truncated to 14 bytes
 The “fixed-length” password is split into two 7-byte halves
 These two values are used to create two DES keys
 One from each 7-byte half, by converting the seven bytes into a bit stream, and
inserting a null bit after every seven bits (so 1010100 becomes 01010100); this
generates the 64 bits needed for the DES key.
 Each of these keys is used to DES-encrypt the constant ASCII string
KGS!@#$%, resulting in two 8-byte ciphertext values
 These two ciphertext values are concatenated to form a 16-byte value,
which is the LM hash
 The resulting LM hash stored in the SAM (Security Accounts Manager)
database (locally or at the domain controller)
25
NTLM: LM Hash Insecurity
 Password characters are restricted to the ANSI printable
character set (95 characters)
 Passwords longer than 7 characters are divided into two pieces
and each piece is hashed separately (truncated to 14 bytes)
 Brute-force complexity
 There are 9514 ~ 292 passwords with 14 printable characters
 But, 957 ~ 246 passwords with 7 printable characters (one half)
 Only uppercase characters used 697 ~ 243 (breakable in few hours!)
 LM hash does not include salt, therefore a time-memory trade-
off cryptanalysis attack, such as rainbow tables, is also feasible
 TMTO-based attacks break LM hashes in matter of seconds!
 0phcrack, Cain&Abel
26
NTLM: NTLM version 1
 NTLMv1 developed to replace the weaker LAN Manager
 Take a password (respects upper and lowercase)
 Calculate the MD4 of it – 128 random bits (16 bytes)
 292 passwords with 14 printable characters
 Store this value – NTLM Hash
27
NTLM: Network Login with NTLMv1
 Used to authenticate
 Web site users, file share access, printer access, RPC calls, etc.
 Challenge-response authentication
 Domain controller (server) sends a random challenge to the
workstation of the user
 The workstation encrypts the challenge with the NTLM hash of
the password and sends it to the controller (server)
 The controller does the same operation using the NTLM hash
stored locally and compares the results
28
NTLMv1 Challenge/Response Details
 How NTLM Hash & Challenge  NTLMv1 Response
MD4 of password=0x0123456789ABCDEFFEDCBA9876543210
Broken into three “Key Chunks”
 Key 1: 0123456789ABCD
 Key 2: EFFEDCBA987654
 Key 3: 32100000000000
NTLMv1 Response =
DES(Key1, Challenge) + DES(Key2, Challenge) + DES(Key3,
Challenge)
29
NTLMv1: Some Security Issues
 Response generation requires only the NTLM Hash (the
password authenticator)
 NTLM Hash is password equivalent (not the case in Unix - salt)
 NTLM Hash exposure is therefore catastrophic  login without pwd!
 Weak DES cipher is used
 Effort to try all DES keys: 2 x 256+216 ~ 257 for all three portions of the
NTLM Response
 10 character alphabetic mixed case password has about 257
possibilities
 Therefore for longer passwords, easier to bruteforce DES
 Active man-in-the-middle
 Attacker provides known challenge and launch pre-computed
dictionary attacks
30
NTLMv1: Other Shortcomings in
Windows NT/2k
 By default NT workstations send two responses to the
challenges
 One using NTLM Hash
 One using LM Hash (for backward compatibility)!
 Show Wireshark traces here
31
NTLM: NTLM version 2
 NTLMv2 significantly improves authentication of NTLM
 NTLMv2 Challenge/Response Details
 Both client and server generate random challenges
CS = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC, domain name)
Prevents pre-computed
dictionary attacks
MD4 hash of
a password
 Calculate NTLMv2 Response
v2-Hash = HMAC-MD5(NTLM Hash, user name, domain)
NTv2 = HMAC-MD5(v2-Hash, CS, CC*)
NTLMv2 Response = CC | NTv2 | CC*
32
LM, NTLMv1 and NTLMv2 Comparison
LM
Password case
No
sensitive
Hash key
length
56 + 56 bit
NTLMv1
NTLMv2
Yes
Yes
-
-
Password hash
DES (ECB mode) MD4
algorithm
MD4
Hash value
length
64 + 64 bit
Chall.-Resp.
key length
56 + 56 + 16 bit 56 + 56 +16 bit
128 bit
Chall.-Resp.
algorithm
DES (ECB mode) DES (ECB mode)
HMAC_MD5
Chall.-Resp.
value length
64 + 64 + 64 bit 64 + 64 + 64 bit
128 bit
128 bit
128 bit
33
From Windows 2000 on - Network Login
 In a native W2k enviroment, the Kerberos protocol is used to
carry out network logins
 Kerberos authenticates both the user and the server (no more
man-in-the-middle attacks)
 The user is authenticated by the NTLM hash of the password
 The server is authenticated by a password known by all workstations in the
given domain
 The user is issued lifetime limited access tickets
 One Ticket-Granting-Ticket (TGT)
 Many service tickets using TGT
 No need of re-authentication to access a service as long as TGT is valid
(single sign-on)
 Kerberos protocol is very secure
34
Storing of Hashes in NT and 2k
 The NTLM and LM hashes of all users are stored in the SAM file
or in the Active Directory (ntds.dit)
 Since W2k SP2 it is possible to deactivate LM hash generation
WinXP Profess.
(Win7 on slide 27)
 The file containing the hashes is locked by the kernel at startup
 Can be stored at several
locations!
35
Storing of Hashes in NT and 2k
 Since NT SP3 the SAM can be encrypted (default in W2k)
 Microsoft©Syskey utility
 If not encrypted, one can steal hashes by rebooting from CD
 If encrypted, administrator rights are needed to steal the hashes (using a
tool like pwdump)
36
Protective Measures(Administrator)
 Use only pure Unix or Win2k or higher networks
 Deactivate LM hash generation (e.g., Win7)
 Secure the file containing the hashes
 Windows: use syskey utility
 Unix: use /etc/shadow
 Use Kerberos protocol whenever possible
 Restrict physical access to servers containing hashes
 Apply all latest security patches and service packs
 Apply tools that force users to chose strong passwords
 Audit the passwords regularly
37
Security Tokens
9.11.2010.
Security Tokens (something you have)
 Objects that a user possesses for the purpose of user
authentication are called (authentication) tokens
 The system can verify that a user owns a unique token
 Two-factor authentication
 E.g. the combination of a password (something you know) and a
token (something you have) considerably increases security
 Examples:
 Scratch lists
 SecureID tokens (display a new 6 digit number every minute)
 Calculators
 Magnetic and smart cards
39
Example: Secure Internet Banking
Offline card reader
User knows
User owns
Hiltgen et al. “Secure Internet Banking Authentication”, IEEE Security & Privacy, 2006
40
Biometric Authentication
9.11.2010.
Biometrics (something you are)
 Science of measuring physical characteristics of human beings
 A biometric authentication system attempts to authenticate an
individual based on unique physical characteristics
 Human physical characteristics
 Fingerprint
 Shape of a hand
 Iris
 Retina
 DNA
 Face...
 Human behavior
 Dynamics of signature (speed, preasure, direction)
 Voice
 Keyboard usage
42
Operation of a Biometric System
43
Biometric Accuracy
 Biometric system
 Physical characteristics of the user mapped into a digital representation
 For each user a single representation (template) stored in the computer
 When user is to be authenticated, the system compared stored template to the
presented template
 Given the complexities of physical characteristics, we cannot expect the exact match
between the two templates
 Therefore, the system uses algorithms to evaluate a matching score (e.g., expresses
as a single number)
 It is hard to create a perfect biometric system
 Too sensitive  too many false negatives (false nonmatch)
 Unsensitive  too many false positives (false match)
44
Biometric Accuracy
 Biometric system
 Physical characteristics of the user mapped into a digital representation
 For each user a single representation (template) stored in the computer
 When user is to be authenticated, the system compared stored template to the
presented template
 Given the complexities of physical characteristics, we cannot expect the exact match
between the two templates (not possible to hash)
 Therefore, the system uses algorithms to evaluate a matching (similarity) score (e.g.,
expresses as a single number) between the two templates
 The problem: the similarity score will vary over different
authentication sessions for the given user
 Basic question: how to set the sensitivity of the system?
 E.g., what the threshold similarity score should be in order to grant
the user an access to the system?
45
Biometric Accuracy
 Too sensitive  too many false negatives (false nonmatch, reject)
 Unsensitive  too many false positives (false match, accept)
 By decreasing one, the other increases (and vice versa)
http://www.bromba.com/faq/biofaqe.htm
46
Biometric Accuracy
 For a given biometric scheme, we can plot the false match versus false
non-match rate, called the operating characteristic curve
NOTE: Logarithmic
scale is used.
Equal Error Rate
 How to pick a threshold matching score depends on application
 E.g., pick a threshold that corresponds to the point on the curve where
false positive rate = false negative rate
47
Biometric Discussion
 Shortcomings
 Information is never identical  not possible to hash (neither
for storage nor for storage)
 Risk of theft
 Not possible to change a stolen finger
 Some scanners can be fooled or replaced
 Ideal applications
 Physical access control
 Authentication for payments at a cash register
48
Download